CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

[solved] entities problem

https://forum.cmsmadesimple.org/viewtopic.php?t=23812

Page 1 of 1

[solved] entities problem

Posted: Tue Jul 15, 2008 4:49 pm
by piotrekkr
Hi, I have problem with textareas and maby with CMS. I have form with textarea and i post data like this:

Code: Select all

ąśćł!!!!!
then I post data ,show it by var_dump($params) and insert posted data back in form textarea. and i get something like that:
in source code by var_dump():

Code: Select all

["abaut"]=>
  string(33) "ąśćł!!!!!"
in source code in textarea:

Code: Select all

ąśćł!!!!!
in textarea on page:

Code: Select all

ąśćł!!!!!
It should be

Code: Select all

ąśćł!!!!!
on page. My question is why CMSMS make entities of params after sending them to module? It apears that CreateTextarea() make entities automaticaly. So entities are made two times. How to turn off automatic entities in params? Or isn't it cmsms which doing this? Could it be my new hosting server? I use cmsms version 1.3.1 . Thank you for help. :)

PS. Sorry for my poor english.

Re: entities problem

Posted: Wed Jul 16, 2008 8:30 pm
by piotrekkr
I looked into cms core and it looks like there is function cms_htmlentities() that entities characters.

Code: Select all

/**
 * Enter description here...
 *
 * @param unknown $val
 * @param integer $quote_style
 * @return unknown
 * 
 * $quote_style may be one of:
 *     ENT_COMPAT   : Will convert double-quotes and leave single-quotes alone. 
 *     ENT_QUOTES   : Will convert both double and single quotes. 
 *     ENT_NOQUOTES : Will leave both double and single quotes unconverted. 
 */
function my_htmlentities($val)
{
	if ($val == "")
	{
		return "";
	}
	$val = str_replace( " ", " ", $val ); 

	//Remove sneaky spaces 
	// $val = str_replace( chr(0xCA), "", $val );   

	$val = str_replace( "&"            , "&"         , $val ); 
	$val = str_replace( "<!--"         , "<!--"  , $val ); 
	$val = str_replace( "-->"          , "-->"       , $val ); 
	$val = preg_replace( "/<__script__/i"  , "<__script__"   , $val ); 
	$val = str_replace( ">"            , ">"          , $val ); 
	$val = str_replace( "<"            , "<"          , $val ); 
	
	
	$val = str_replace( "\""           , """        , $val ); 

	// Uncomment it if you need to convert literal newlines 
	//$val = preg_replace( "/\n/"        , "<br>"          , $val ); 

	$val = preg_replace( "/\\$/"      , "$"        , $val ); 

	// Uncomment it if you need to remove literal carriage returns 
	//$val = preg_replace( "/\r/"        , ""              , $val ); 

	$val = str_replace( "!"            , "!"         , $val ); 
	$val = str_replace( "'"            , "'"         , $val ); 
	 
	// Uncomment if you need to convert unicode chars 
	//$val = preg_replace("/&#([0-9]+);/s", "&#\1;", $val ); 

	// Strip slashes if not already done so. 

	//if ( get_magic_quotes_gpc() ) 
	//{ 
	//	$val = stripslashes($val); 
	//} 

	// Swop user inputted backslashes 

	//$val = preg_replace( "/\(?!&#|?#)/", "\", $val );

	return $val;
}
But i still don't know why this function is used on every param just after sending them by form?? How to turn off feature that uses this function on every param I send?? Plz help

//edit:
Ok I fought it might be problem with my webhosting but I run copy of cmsms on my localhost and it didn't resolve my problem. Anybody knows how to fix this???? Please help

Re: entities problem

Posted: Sat Jul 19, 2008 12:17 pm
by piotrekkr
Ok I found it after hours of searching and tests... Problem was in DoBaseAction() function.

Code: Select all

function DoActionBase($name, $id, $params, $returnid='')
	{
	  
	  if( $returnid != '' )
	    {
	      if( !$this->restrict_unknown_params && 
		  get_site_preference('allowparamcheckwarnings',0))
		{
		  trigger_error('WARNING: '.$this->GetName().' is not properly cleaning input params.',E_USER_WARNING);
		}
	      // used to try to avert XSS flaws, this will
	      // clean as many parameters as possible according
	      // to a map specified with the SetParameterType metods.
	      $params = cleanParamHash($params,$this->param_map,
				       !$this->restrict_unknown_params);
	    }
.......

}
Problem was in

Code: Select all

$params = cleanParamHash($params,$this->param_map,
				       !$this->restrict_unknown_params);
code of cleanParamHash() function:

Code: Select all

/**
 * Method to sanitize all entries in 
 * a hash
 *
*/
define('CLEAN_INT','CLEAN_INT');
define('CLEAN_FLOAT','CLEAN_FLOAT');
define('CLEAN_NONE','CLEAN_NONE');
define('CLEAN_STRING','CLEAN_STRING');
define('CLEAN_REGEXP','regexp:');
define('CLEAN_FILE','CLEAN_FILE');
function cleanParamHash($data,$map = false,
						$allow_unknown = false,$clean_keys = true)
{
  $mappedcount = 0;
  $result = array();
  foreach( $data as $key => $value )
	{
	  $mapped = false;
	  $paramtype = '';
	  if( is_array($map) )
		{
		  if( isset($map[$key]) )
			{
				$paramtype = $map[$key];
			}
		  else {
			  // Key not found in the map
			  // see if one matches via regular expressions
			  foreach( $map as $mk => $mv ) {
				  if(strstr($mk,CLEAN_REGEXP) === FALSE) continue;

				  // mk is a regular expression
				  $ss = substr($mk,strlen(CLEAN_REGEXP));
				  if( $ss !== FALSE ) {
					  if( preg_match($ss, $key) ) {
						  // it matches, we now know what type to use
						  $paramtype = $mv;
						  break;
					  }
				  }
			  }
		  } // else

		  if( $paramtype != '' ) {
			  switch( $paramtype ) {
			  case 'CLEAN_INT':
				  $mappedcount++;
				  $mapped = true;
				  $value = (int) $value;
				  break;
			  case 'CLEAN_FLOAT':
				  $mappedcount++;
				  $mapped = true;
				  $value = (float) $value;
				  break;
			  case 'CLEAN_NONE':
				  // pass through without cleaning.
				  $mappedcount++;
				  $mapped = true;
				  break;
			  case 'CLEAN_STRING':
				  $value = cms_htmlentities($value);
				  $mappedcount++;
				  $mapped = true;
				  break;
			  case 'CLEAN_FILE':
				  $value = cms_cleanfile($value);
				  $mappedcount++;
				  $mapped = true;
				  break;
			  default:
				  $mappedcount++;
				  $mapped = true;
				  $value = cms_htmlentities($value);
				  break;
			  } // switch
		  } // if $paramtype
			  
		}

	  // we didn't clean this yet
	  if( $allow_unknown && !$mapped )
		{
		  // but we're allowing unknown stuff so we'll just clean it.
		  $value = cms_htmlentities($value);
		  $mappedcount++;
		  $mapped = true;
		}

	  if( $clean_keys )
		{
		  $key = cms_htmlentities($key);
		}

	  if( !$mapped && !$allow_unknown )
		{
		  trigger_error('Parameter '.$key.' is not known... dropped',E_USER_WARNING);
		  continue;
		}
	  $result[$key]=$value;
	}
  return $result;
}
cms_htmlentities() uses my_entities() function to entoty some characters.
As I understand  cleanParamHash() function should protect for XSS atack but it realy iritated me   >:( I think that everyone should protect himself his scripts and it shouldn't be imposed by core... If it is already in core there should be way to turn this feature on/off in config file. Maby there is option that turn this off but i couldn't find it...
I turn this off by commenting lines:

Code: Select all

// $params = cleanParamHash($params,$this->param_map,
//				       !$this->restrict_unknown_params);
thanks for interest (above 80 views...) in this topic.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited